*:We don't have a final speaker yet, but we will definitely have a presentation and will announce it as soon as we have confirmed with the speaker.

+

*:Cross-Site Scripting (XSS) vulnerabilities are one of the most seen vulnerability categories nowadays. Unfortunately, these vulnerabilities are often underestimated, e.g. because an attacker cannot directly compromise the database or webserver by exploiting them. Instead it’s possible to execute JavaScript code in the context of a user session allowing to steal session cookies, start key-logging, and so on. This talk goes beyond these basic attacks and shows the audience how it’s possible for attackers to completely compromise client systems by exploiting vulnerabilities in browsers. On the basis of real world vulnerabilities, attacks against browsers running on an older operating system (e.g. Windows XP) will be demonstrated. Current operating systems (like Windows 8.1) have implemented lots of mitigation techniques in order to prevent attackers from exploiting such vulnerabilities. During the talk the most important mitigation techniques will be explained. In addition, possible bypasses will be given. At the end of the presentation a real world Firefox exploit, which works reliable against all major Windows versions (including Windows 8.1 and Windows Server 2012), fully bypasses ASLR/DEP (without depending on java6), does not use heapspray and doesn’t crash the browser will be shown to demonstrate that such attacks are still possible and mitigation techniques can be bypassed.

Tuesday, June 17th 2014
We'd like to invite you to the third of six OWASP Switzerland meetings in 2014. Please make sure to register for the event.

When:

Tuesday, June 17th 2014

Starting at 18:00

Doors at 17:30

What:

XSS and beyond (René Freingruber, SEC Consult )

Cross-Site Scripting (XSS) vulnerabilities are one of the most seen vulnerability categories nowadays. Unfortunately, these vulnerabilities are often underestimated, e.g. because an attacker cannot directly compromise the database or webserver by exploiting them. Instead it’s possible to execute JavaScript code in the context of a user session allowing to steal session cookies, start key-logging, and so on. This talk goes beyond these basic attacks and shows the audience how it’s possible for attackers to completely compromise client systems by exploiting vulnerabilities in browsers. On the basis of real world vulnerabilities, attacks against browsers running on an older operating system (e.g. Windows XP) will be demonstrated. Current operating systems (like Windows 8.1) have implemented lots of mitigation techniques in order to prevent attackers from exploiting such vulnerabilities. During the talk the most important mitigation techniques will be explained. In addition, possible bypasses will be given. At the end of the presentation a real world Firefox exploit, which works reliable against all major Windows versions (including Windows 8.1 and Windows Server 2012), fully bypasses ASLR/DEP (without depending on java6), does not use heapspray and doesn’t crash the browser will be shown to demonstrate that such attacks are still possible and mitigation techniques can be bypassed.

New Standards and upcoming Technologies in Browser Security (Slides by Tobias Gondrom)

2011-05-12

Swiss Cyber Storm III

Do you know OWASP?

2011-04-12

Chapter Meeting

ASP.NET & ViewState Security

2010-04-12

Chapter Meeting

Usability vs. Security

2010-04-12

Chapter Meeting

2-factor authentication for mobile devices: a secure and practical approach

2009-06-25

Chapter Meeting

Benefits of a security API such as ESAPI

2009-06-25

Chapter Meeting

Advanced SQL injection exploitation to operating system full control

2009-04-07

Chapter Meeting

Open security architecture (www.opensecurityarchitecture.org)

2009-04-07

Chapter Meeting

XSRF and JSON hijacking & a hands-on session

2008-09-08

Chapter Meeting

Quality of services for web applications (Hands-On Workshop)

2008-09-08

Chapter Meeting

XML Security (Hands-On Workshop)

2008-09-08

Chapter Meeting

ISC2/Application security

2008-04-01

Global OWASP Week

Taking Apache access logs to the next level

2008-04-01

Global OWASP Week

Implementing an Application Security Lifecycle programme

2008-04-01

Global OWASP Week

WebAppSec the Big Picture

2007-12-11

Chapter Meeting

Certified Secure Web

2007-12-11

Chapter Meeting

Secure Development Life Cycle

2007-12-11

Chapter Meeting

Securing my Assets (Presentation & Demo)

2007-09-20

Security-Zone

OWASP Testing Guide

2007-09-19

Security-Zone

OWASP Top 10

2007-07-24

Chapter Meeting

OWASP - An Overview

2007-07-24

Chapter Meeting

Dependability for Java Mobile Code

2007-07-24

Chapter Meeting

OWASP Top 10 (Demo)

2007-04-26

Chapter Meeting

Risk metrics

2007-02-12

Chapter Meeting

XSS-Worms

2006-11-11

Chapter Meeting

OWASP Switzerland Chapter Kick-Off Meeting

OWASP Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

Our main topics are:

Security testing

Secure development

Hacking

Secure Architectures

If you would like to give a presentation (make sure that you have read and understood the speaker agreement), or have any questions about the OWASP Switzerland Chapter, send an email to Sven Vetsch.

Help us to make application security visible and become a supporter of the OWASP or our Chapter in Switzerland. All information about becoming a member/sponsor can be found here.

If your company is interested in supporting us directly, please contact Sven Vetsch to talk about the following sponsoring possibilities.